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Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 
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RID  Updates 


•  Purpose 

•  RID  and  INCH 

•  Generalizing  RID  draft 

-  Communication  flow  for  all  IODEF  documents 

-  Schema  changes 

-  Transport  in  a  separate  document 

•  Communication  Mechanism  for  RID  Documents 

•  RIDPolicy 
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Real-time  Inter-network  Defense  (RID) 


•  Facilitate  Communication  of  IODEF  documents  between 
Network  Providers  (NPs)  and  CSIRTs 

•  *  Report  incidents  to  NPs  or  CSIRTs 

•  Trace  Security  Incidents  to  the  Source 

•  Stop  or  Mitigate  the  Effects  of  an  Attack  or  Security  Incident 

-  Integrate  with  existing  and  future  network  components 

Intrusion  Detection  Systems 

Systems  to  trace  traffic  across  a  network 

Network  devices  such  as  routers  and  firewalls 

•  Provide  secure  means  to  communicate  IODEF  documents 

-  Consortiums  agree  upon  use  and  abuse  guidelines 

-  Consortiums  provide  Public  Key  Infrastructure  to  support 
encryption  and  digital  signing  requirements 
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Generalization  of  RID  for  IODEF 


*  RID  is  used  to  communicate  security  incident  handling 
information  between  CSIRTs  or  Network  Providers  (NPs) 

*  RID  initially  intended  for: 

-  Reporting  and  tracing  security  incident  information  to  a  RID  system 
close  to  fne  attack  source 

-  Integration  with  traceback  systems  and  intrusion  detection 

-  Method  to  stop  attack  traffic  close  to  the  source 

*  The  generalization  of  RID  specifies 

-  Communication  flow  to  facilitate  RID  messaging 

*  Major  document  updates  include 

-  RID  no  longer  an  extension  of  IODEF  using  the  AddtionalData  class 

Separate  schema  which  acts  as  an  XML  wrapper  for  IODEF  documents 

-  Text  changes 

-  New  message  types 

Ability  to  send  an  incident  report  with  no  required  action 
Ability  to  request  information  about  an  incident 

*  Are  there  any  other  cases  that  are  not  yet  covered? 
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RID  Envelope  for  IODEF 
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Transport  Protocol 


All  IODEF  documents  are 
enveloped  in  RID  XML  for 
transport 

Facilitates  communication  of 
IODEF  documents  and  sets 
purpose 

-  Reporting 

-  Investigation 

Source  is  known 

-  Trace  request 

-  Incident  Query 

The  transport  protocol  will  be 
defined  in  a  separate 
document 

-  SOAP  and  HTTPS 
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Communicating  RID  Messages 


*  RID  serves  as  the  message  wrapper  for  all  IODEF  documents 

*  RID  defines  the  communication  flow  of  all  IODEF  documents 
using  the  defined  RID  message  types 

-  Trace  Request 

Requires  integration  with  traceback  systems  to  identify  upstream  source 

-  Trace  Authorization 

Traceback  approval  status  in  upstream  provider’s  network 

-  Result 

*Previously  known  as  “Source  Found" 

^Actions  will  be  expanded  in  Data  Model  to  support  necessary  options 

-  Investigation 

*Previously  Relay  Request 

Incident  Investigation  for  attack  mitigation  with  a  known  source 

-  *Report 

Statistics  -  no  action  necessary 

-  *  IncidentQuery 

Request  a  report  on  a  particular  incident  or  type  of  incident 

*  RID  Systems  Must  Track  the  Requests  by 

-  *  Incident  Number  and  Instance  ID 

The  incident@ID  is  referenced  in  RIDPolicy  from  the  data  model 
Format:  CSIRT name-IncidentID-lnstance 

-  Packet  Contents 

-  Completion  Status 


RID-INCH-6 
KMM  8/2/2005 


MIT  Lincoln  Laboratory 


Schema  Updates 


•  RID  Schema 

-  Envelope  for  the  IODEF  document 

-  Separated  out  from  IODEF  extension 

Facilitates  transport  requirements 

Enables  easy  access  to  necessary  document  data  to  prevent  the 
need  to  parse  the  entire  document  received 

RIDPolicy  class  can  easily  be  pulled  into  the  SOAP  header 

9  Enumerated  lists  added  for  all  relevant  elements 

-  Lists  values  changed  from  decimal  type  to  string  for 
readability  of  document  where  possible 
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Report  Message 


Report  is  sent  to  CSIRT  or  NP 

No  action  is  necessary  for  this  message  type 

Used  for  statistics  and  generating  trending  information 

Transport  will  use  TCP  (HTTPS),  so  there  is  no  response 
necessary 


RID  System/ 
Incident  DB 
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Investigation  Message 


In  RID  wrapper  RID  System 


•  Investigation  message  is  sent  to  CSIRT  or  NP 

•  An  Investigation  is  requested  where  the  source  is  known 

•  Purpose  is  to  mitigate  or  stop  the  attack  traffic 

•  A  response  via  the  Result  message  is  required 

-  Details  the  action(s)  taken 
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Trace  Request  Message 


Trace  Request 


IODEF  report 
In  RID  wrapper 


Trace  Request  is  sent  to  CSIRT  or  NP  R\D  System 

A  traceback  investigation  is  requested  to  locate  the  source 
All  upstream  trace  requests  must  decide  if  trace  will  be  authorized 
Purpose  is  to  mitigate  or  stop  the  attack  traffic 
A  response  via  the  Result  message  is  required 
-  Details  the  action(s)  taken 
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IncidentQuery  and  Receive  Report 


In  RIDPolicy  wrapper  RID 


System 

•  IncidentQuery  request  is  sent  to  CSIRT  or  NP 

*  Purpose  is  to  obtain  information  on  a  particular  incident  or  a  type 
of  incident 

•  A  response  via  the  Report  message  is  provided 

*  Note:  A  report  message  can  also  be  used  by  itself  to  provide  new 
information  on  security  incident  to  a  RID  system 
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Transport  in  a  New  Draft 
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SOAP  Draft  defines  the  transport  protocol  for  RID  documents 

RID  will  define  the  message  communication  flow  and  the  transport 
document  discusses  SOAP  and  HTTPS  for  transport 

XML  Security 

-  Policy  negotiated  in  RID  message  through  the  RIDPolicy,  not  in 
SOAP  or  other  transport  wrapper 

-  Provide  integrity,  authentication,  authorization 

-  XML  digital  signature,  encryption,  and  public  key  infrastructure 

Encryption  of  RID  for  privacy  and  security  reasons  should  be  via  XML 
encryption  and  not  through  the  security  provided  by  a  wrapper  or  higher 
level  protocol 

SOAP  Wrapper 

-  Method  to  transport  messages 

-  HTTPS  will  be  the  mandatory  protocol  for  implementation 

Not  necessarily  the  most  efficient  transport  for  the  IODEF  messages,  but 
was  agreed  upon  by  WG  for  ease  of  initial  implementation 

-  Other  protocols  may  be  added  for  optional  support 
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RID  Policy 


•  RID  Policy 

-  Ensures  policy  information  is  transferred  between  participating  RID  peers 

-  Policy  information  in  RID  to  prevent  policy  related  issues  from  relying  on  the 
transport  mechanism  for  enforcement 

Message  type  is  specified  in  the  RIDPolicy  class 
*Adding  one  for  reporting/statistics 

-  Incident  number  is  referenced  in  RIDPolicy  to  facilitate  transport 

•  RIDPolicy  Information 

-  Identifies  where  the  traffic  may  have  policy  issues 

Client  to  NP 

NP  to  client 

Within  a  consortium 

Between  peers 

Between  consortiums 

Across  national  boundaries 

•  Purpose  is  to  try  to  prevent  abuse  of  the  system 

-  Address  security,  confidentiality,  and  privacy  concerns  listed  in  the  draft 

-  Must  be  complimented  with  policies  formed  by  consortiums/federations,  or 
between  peers 

New  extension  created  to  address  issues  raised  at  IETF-59 


•  Any  comments  on  RIDPolicy? 
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Summary 


•  Updates  from  the  previous  version 

-  Continuing  work  on  generalization  of  RID  to  support  transport  of  all 
IODEF  documents 

Many  text  updates 
DTD  was  removed 

•  Near  Future  Updates  will  include 

-  RID  Schema 

Separate  RID  schema  is  an  envelope  for  IODEF,  not  an  extension 
RIDPolicy  class  references  global  IODEF  attribute  for  incidentID 
Enumerated  lists  included  for  allowed  values  in  schema  definition 

-  Added  message  types  for  incident  query  and  response 

-  Added  information  about  IPFix 

IETF  flow  analysis  standard  emerging 

-  Pending  on  release  of  IODEF  data  model 

Need  to  ensure  documents  flow 

Need  to  update  the  text  sections  of  document  to  eliminate  DTD  references 

-  Separate  document  for  SOAP  wrapper  and  transport 

•  http://www.ietf.org/internet-drafts/draft-ietf-inch-rid-02.txt 
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